Oregon Department of Transportation
The Oregon Fuels Tax System Accurately Assesses and Collects Fuels Taxes for State and Local Jurisdictions December 2018 2018-44
Secretary of State Dennis Richardson Audits Division Director Kip Memmott
This page intentionally left blank
December 2018
Oregon Department of Transportation
The Oregon Fuels Tax System Accurately Assesses and Collects Fuels Taxes for State and Local Jurisdictions Recommendation Follow-up Results
At the time of the original audit, ODOT agreed with all nine recommendations auditors provided. Our follow-up work shows ODOT has implemented two of those recommendations since the initial report. More work is needed to fully implement the remaining seven recommendations.
Highlights from the Original Audit
The Oregon Fuels Tax System (OFTS) accurately assesses and collects fuels taxes for Oregon and local jurisdictions, collecting over $564 million in 2016. However, processes for issuing fuels tax refunds and system design flaws result in minor overpayments and reporting inaccuracies. Additionally, ODOT should enhance processes for testing system backup files, granting and monitoring user access, setting user password parameters, implementing safeguards over personally identifiable information, and identifying security weaknesses.
Background
In 2013, ODOT contracted with Avalara to implement a new fuels tax system for $2.8 million, replacing an outdated paper based system previously used to handle Oregon Fuels Tax returns.
Purpose
The purpose of this audit was to review and evaluate the effectiveness of key general and application controls that protect and ensure the integrity of the OFTS and its data. The purpose of this follow-up report is to provide a status on the auditee’s efforts to implement recommendations.
Key Findings
1. OFTS accurately calculates, assesses, and collects fuels tax for the state of Oregon and local jurisdictions, but manual processes governing refund payments should be improved to ensure accurate refund payments. 2. Application design flaws result in a small number of refund overpayments and minor reporting inaccuracies. 3. Changes to OFTS computer code are appropriately managed to reasonably ensure that the system and its data will not be compromised as the result of a code change. 4. System back-up processes have never been tested to ensure system data can be restored in the event of a disruption. 5. Security weaknesses exist in processes for granting and reviewing system access, monitoring activities of internal and third-party users with significant system access, and identifying and remediating system security vulnerabilities. In addition, password parameters should be more robust, and safeguards protecting some Personally Identifiable Information (PII) need improving.
Introduction The purpose of this report is to follow up on the recommendations made to ODOT as included in audit report 2017-18, “The Oregon Fuels Tax System Accurately Assesses and Collects Fuels Taxes for State and Local Jurisdictions.” The Oregon Audits Division conducts follow-up procedures for each of our performance audits. This process helps assess the impact of our audit work, promotes accountability and transparency within state government, and ensures audit recommendations are implemented and related risks mitigated to the greatest extent possible.
We use a standard set of procedures for these engagements that includes gathering evidence, assessing the efforts of the auditee to implement our recommendations, concluding and reporting on those efforts, and employing a rigorous quality assurance process to ensure our conclusions are accurate. Implementation status determinations are based on an assessment of evidence rather than self-reported information. To ensure the timeliness of this effort, the division asks all auditees to provide a timeframe for implementing the recommendations in audit reports. We use this timeframe to schedule and execute our follow-up procedures.
Follow-up procedures evaluate the status of each recommendation and assign it one of the following categories: •
•
•
Implemented/Resolved: The auditee has fully implemented the recommendation or otherwise taken the appropriate action to resolve the issue identified by the audit.
Partially implemented: The auditee has begun taking action on the recommendation, but has not fully implemented it. In some cases, this simply means the auditee needs more time to fully implement the recommendation. However, it may also mean the auditee believes it has taken sufficient action to address the issue and does not plan to pursue further action on that recommendation.
Not implemented: The auditee has taken no action on the recommendation. This could mean the auditee still plans to implement the recommendation and simply has not yet taken action; it could also mean the auditee has declined to take the action identified by the recommendation and may pursue other action, or the auditee disagreed with the initial recommendation.
The status of each recommendation and full results of follow-up work for the Oregon Fuels Tax System are detailed in the following pages.
Oregon Secretary of State | 2018-44 | December 2018| Page 1
Recommendation Implementation Status Recommendation
Auditee Action
Status
1. Increase scrutiny and documentation of refund claims to ensure all refund payments are appropriate.
ODOT updated review procedures, including an additional review prior to releasing refunds. Follow-up testing showed that all refund payments were appropriate.
Implemented/ Resolved
2. Work with the vendor to address system flaws regarding inappropriate penalty and interest refunds.
The vendor has not yet identified and fixed the coding error that is the root cause of the overpayments. We identified an additional 46 transactions containing this error since the prior audit totaling roughly $27,000 in overpayments. However, ODOT implemented a manual workaround in February 2018 and no errors were identified since the workaround was implemented. ODOT is working with customers to reclaim the overpayments we identified and has implemented procedures to periodically check for overpayments that may occur in the future. While the workaround resolves the issue, ODOT should continue to work with the vendor to identify and fix the coding error causing the overpayments.
Implemented/ Resolved
3. Perform manual reconciliations of key system reports to ensure that local jurisdictions receive all fuels tax revenue to which they are entitled.
ODOT has not yet been able to perform the reconciliations necessary to ensure local jurisdictions receive all the fuels tax revenue to which they are entitled because key system reports needed to be redesigned. These system reports are in the final stages of testing and appear to be working correctly. ODOT anticipates the reports will be ready by the end of 2018 for staff to begin performing reconciliations.
Partially implemented
4. Periodically test system and data backups to ensure usability and incorporate OFTS into its overall disaster recovery plan.
ODOT has modified procedures to test that data backups can be restored to the application database on a periodic basis. However, these procedures do not include testing to ensure the restored data is correct and usable with the application. Without this step, ODOT cannot fully ensure that, in the event of a disaster, backups can be used to restore the data and application successfully. Additionally, no progress has been made in developing a disaster recovery plan for OFTS to incorporate into their overall disaster recovery plan.
Partially implemented
Oregon Secretary of State | 2018-44 | December 2018| Page 2
5. Establish formal procedures to authorize, document, review, and timely remove access to the system as appropriate.
ODOT has updated their procedures to include periodic reviews of user access. Additional cleanup is needed, including removal of access for nine internal users who have not logged in for more than six months, indicating they may no longer have a need for access. In addition, during our follow-up, we identified 10 new users with authorized access to the system but found no documentation of authorization for their specific roles in OFTS.
Partially implemented
6. Utilize system functionality already available to alert staff to potential security violations and to monitor third party activity.
ODOT implemented changes to system settings prior to the release of the audit report. Upon follow-up we determined that these changes alert external end users of changes to their user account, but did not add alerts to ODOT staff of potential security violations. Furthermore, procedures have not been updated to include periodic review of system logs to ensure activity by both internal and third parties is appropriate.
Not implemented
7. Establish procedures to protect Personally Identifiable Information on fuels tax returns and reevaluate the need for using SSNs on fuels tax return forms.
ODOT management modified their work flow to redact SSNs on returns prior to uploading them into the system. However, written, formal procedures remain in draft and have not yet been approved. Additionally, ODOT has stated that in absence of a Fuels Tax ID number, SSNs will remain an accepted alternative.
Partially implemented
8. Increase password length and complexity requirements for OFTS to comply with statewide IT standards.
OFTS password length and complexity requirements remain unchanged since the prior audit.
Not implemented
9. Work with the vendor to prioritize and correct identified security vulnerabilities and schedule periodic scans of the system at regular intervals to identify any new vulnerabilities.
During our prior audit, ODOT IT staff performed a security scan of OFTS for the first time. While the vendor has been notified of the security vulnerabilities present in the application, additional scans subsequent to our audit show they have not yet mitigated them. ODOT established new procedures to scan the application upon each major change to the system, and continues to notify the vendor regarding the results of the scan.
Partially implemented
Oregon Secretary of State | 2018-44 | December 2018| Page 3
Conclusion ODOT agreed with all nine recommendations in the original audit and planned to have all recommendations fully implemented by February 2018. Our follow-up work shows ODOT has implemented two of these recommendations which help ensure refund claims are appropriately calculated and paid. ODOT also made significant progress on five recommendations but needs to do more to fully resolve them.
However, ODOT did not make progress on two recommendations to improve security by alerting staff about potential security violations and increasing password length and complexity to comply with statewide IT standards. We also noted that several of the recommendations require system fixes that must be performed by ODOT’s vendor. While ODOT was able to resolve recommendation no. 1 through a manual procedure, recommendation no. 9 cannot be resolved without the vendor. ODOT should seek ways to improve vendor responsiveness to their business needs, either through existing contract enforcement or future amendments. We sincerely appreciate the courtesies and cooperation extended by officials and employees of the Oregon Department of Transportation during the course of this follow-up work.
Oregon Secretary of State | 2018-44 | December 2018| Page 4
Follow-up Report Team Will Garber, CGFM, MPA, Deputy Director Teresa Furnish, CISA, Audit Manager
Matthew Owens, CISA, MBA, Principal Auditor
About the Secretary of State Audits Division The Oregon Constitution provides that the Secretary of State shall be, by virtue of his office, Auditor of Public Accounts. The Audits Division performs this duty. The division reports to the elected Secretary of State and is independent of other agencies within the Executive, Legislative, and Judicial branches of Oregon government. The division has constitutional authority to audit all state officers, agencies, boards and commissions as well as administer municipal audit law.
This report is intended to promote the best possible management of public resources. Copies may be obtained from:
Oregon Audits Division 255 Capitol St NE, Suite 500 | Salem | OR | 97310 (503) 986-2255 sos.oregon.gov/audits